---
# tasklist for setting up fedmsg
# This is the base set of files needed for fedmsg

- name: install needed packages
  yum: pkg={{ item }} state=present
  with_items:
  - fedmsg
  - libsemanage-python
  - python-psutil
  - policycoreutils-python  # This is in the kickstart now.  Here for old hosts.
  tags:
  - packages

# We use setgid here so that the monitoring sockets created by fedmsg services
# are accessible to the nrpe group.
- name: create a /var/run/fedmsg dir with setgid for monitoring.
  file: >
    dest=/var/run/fedmsg
    mode=2775
    owner=fedmsg
    group=nrpe
    state=directory

- name: setup /etc/fedmsg.d directory
  file: path=/etc/fedmsg.d owner=root group=root mode=0755 state=directory
  tags:
  - config

# Any files that change need to restart any services that depend on them.  A
# trick here is that some hosts have an httpd that uses fedmsg, while others do
# not.  Some hosts have a fedmsg-hub that uses this config, while others do not.
# Our handlers in handlers/restart_services.yml are smart enough to
# *conditionally* restart these services, only if they are installed on the
# system.
- name: setup basic /etc/fedmsg.d/ contents
  template: >
    src="{{ item }}.j2"
    dest="/etc/fedmsg.d/{{ item }}"
    owner=root
    group=root
    mode=644
  with_items:
  - ssl.py
  - relay.py
  - logging.py
  - base.py
  tags:
  - config
  - fedmsgdconfig
  notify:
  - restart httpd
  - restart fedmsg-relay

- name: Remove unwanted files
  file: dest=/etc/fedmsg.d/{{item}} state=absent
  with_items:
  - endpoints.py 
  tags:
  - config
  - fedmsgdconfig
  notify:
  - restart httpd
  - restart fedmsg-relay

- name: setup /etc/pki/fedmsg directory
  file: path=/etc/pki/fedmsg owner=root group=root mode=0755 state=directory
  tags:
  - config

- name: install fedmsg ca.cert
  copy: >
    src="{{ puppet_private }}/fedmsg-certs/keys/ca.crt"
    dest=/etc/pki/fedmsg/ca.crt
    owner=root
    group=root
    mode=0644
  tags:
  - config

- name: fedmsg certs
  copy: >
    src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(ansible_fqdn)}}.crt"
    dest=/etc/pki/fedmsg/
    mode=644
    owner={{item['owner']}}
    group={{item['group']}}
  with_items:
  - "{{ fedmsg_certs }}"
  when: fedmsg_certs != []
  tags:
  - config

- name: fedmsg keys
  copy: >
    src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(ansible_fqdn)}}.key"
    dest=/etc/pki/fedmsg/
    mode=0640
    owner={{item['owner']}}
    group={{item['group']}}
  with_items:
  - "{{ fedmsg_certs }}"
  when: fedmsg_certs != []
  tags:
  - config

# Three tasks for handling our custom selinux module
- name: ensure a directory exists for our custom selinux module
  file: dest=/usr/local/share/fedmsg state=directory

- name: copy over our custom selinux module
  copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
  register: selinux_module

- name: install our custom selinux module
  command: semodule -i /usr/local/share/fedmsg/fedmsg.pp
  when: selinux_module|changed
